4 years ago

Baseband Hacking: A New Frontier for Smartphone Break-ins

Security researcher Ralf-Philipp Weinmann says he has found a new way to hack into mobile devices - by using a baseband hack that takes advantage of bugs found in the firmware on mobile phone chipsets sold by Qulacomm and Infineon Technologies. Weinmann will demonstrate the hack on both an iPhone and an Android device at this week's Black Hat conference in Washington D.C.

Previously, mobile hacking attempts have involved the phone's operating system or other software, but this one focuses on breaking into a phone's baseband processor, which is the hardware that sends and receives radio signals to cell towers.

Baseband Hacking Details

In an IDG News Service report as well as a report on LinuxInsider, this new hack is described in detail. In short, it's a very technical undertaking which involves setting up a fake cell tower to communicate with the target devices. In past years, that was an impossible task due the costs involved - tens of thousands of dollars. But now, thanks to new open-source software called OpenBTS, anyone can build a tower with $2,000 worth of computer equipment. Mobile carriers are also making the necessary hardware more affordable, too, by providing femtocells to consumers in an effort to broaden their mobile coverage. These femtocells, like AT&T's 3G MicroCell, are even less expensive - AT&T's is just $150.00.

To perform the attack, Weinmann sets up a rogue base transceiver station which is used to send malicious code over-the-air to the target devices. The code exploits vulnerabilities found in the GSM/3GPP stacks on the phones' baseband processors. Says Weinmann, industry bodies like the GSM Association and the European Telecommunications Standards Institute have not considered the possibility of attacks like this.

Should You Be Concerned?

In addition to the cost of this particular hack - still a bit pricey - the code Weinmann wrote is notable because it involves in-depth knowledge of chipset firmware, something few hackers know much about, says the IDG news report.

Essentially, Weinmann is helping open up a whole new vector for smartphone hacking, an avenue which is just now being explored by a handful of researchers. In August, for example, Chris Paget demonstrated cell tower spoofing at the Defcon hacking conference in Las Vegas, after getting last-minute permission from the U.S. Federal Communications Commission to do so. And in two months time, other researchers will demonstrate more baseband attacking techniques at Vancouver's CanSecWest conference.

In other words, this is still an emerging area for hackers.

It's too early to say what the ramifications are for this new baseband hacking technique, but for now security experts say that the general public shouldn't worry about attacks like this coming in the near future.

According to Sophos security consultant Graham Cluley, "if someone wanted to spy on your mobile phone conversations it would be easier to trick the user into installing an app that spied on them or gain physical access to the mobile to install some spyware code," he said. "I would be surprised if anyone went to all of the effort that this researcher suggests."